RSA CONFERENCE 2021 – Microsoft products accounted for 47% of the CVEs that cybercriminals request across underground forums, according to researchers who conducted a yearlong study into the exploit market.

The research spanned more than 600 English and Russian language forums, said Mayra Rosario Fuentes, senior threat researcher at Trend Micro, who presented some of the findings in her RSA Conference talk "Tales from the Underground: The Vulnerability Weaponization Lifecycle." Researchers sought to learn which exploits were sold and requested, the types of sellers and buyers involved in transactions, and how their findings compared with their detection systems'.

Researchers scoured advertisements for the sales of exploits from January 2019 through December 2020. They learned Microsoft's tools and services made up 47% of all requested CVEs on underground forums. Internet-connected products made up only 5%, "but with increased bandwidth of connected devices with the new 5G entering the market, IoT devices will become more vulnerable to cyberattack," noted Fuentes in her talk.

More than half (52%) of exploits requested were less than two years old. Buyers were willing to pay an average of $2,000 (USD) for requested exploits; however, some offered up to $10,000 for zero-day exploits targeting Microsoft products.

Fuentes shared some examples of these exploit requests. One forum post requested help regarding an exploit for CVE-2019-1151, a Microsoft Graphics remote code execution (RCE) vulnerability that exists when the Windows font library improperly handles specially crafted embedded fonts. Another offered $2,000 for help in exploiting an RCE flaw in the Apache Web server.

When researching forum posts advertising exploits, researchers found 61% targeted Microsoft products. The highest percentage (31%) were for Microsoft Office, 15% were for Microsoft Windows, 10% were for Internet Explorer, and 5% were for Microsoft Remote Desktop Protocol. Fuentes noted exploits for Office and Adobe were most common in English language forums.  

A comparison of cybercriminals' wish lists and sold exploits revealed parallels between the two categories, Fuentes pointed out.

"We noticed what was requested was very similar to what the market was offering," she said. "Cybercriminals may have seen the requested items from users before deciding what items to offer on the market."

Microsoft Word and Excel exploits "dominated" in both categories, Fuentes continued, digging into the broader Office category. Word and Excel made up 46% of exploits on criminals' wish lists and 52% of exploits advertised on underground forums.

The Life Cycle of Underground Exploits
Fuentes discussed how exploits are developed and sold, starting from the beginning. An exploit may first be developed by an attacker, who sells it and it's then used in the wild. From there, it is usually disclosed publicly and patched by the vendor. This may end the exploit's life cycle, or it will continue to be offered for sale on Dark Web forums.

There are multiple types of sellers, she noted. An experienced seller with at least five years of experience might sell a couple of zero-day or one-day exploits per year with prices ranging from $10,000 to $500,000. Some sellers are disgruntled with bug bounty programs due to long response times or payouts lower than expected – Fuentes noted most people were happy with bug bounty experiences, but those who weren't may sell exploits on underground forums.

Other "bounty sellers" may have cashed in on the maximum amount of bounty submissions for the year, or they may offer to buy exploits they can use to cash in on bug bounty programs. There are some who find exploits that other people developed and sell them as their own.

Some sellers advertise "exploit builder" subscription services ranging from $60 for one month, to $120 for three months, to $200 for six months. The packages include a range of different types of exploits, along with "free updates" and "full support" for criminal buyers, she noted.

While zero-days may fetch a higher price, many exploits sold on the underground targeted older systems. Researchers found 22% of exploits sold were more than three years old, and 48% of those requested were older than three years. The oldest vulnerability discovered was from 1999, Fuentes said, adding the average time to patch an Internet-facing system is 71 days.

Older vulnerabilities requested included CVE-2014-0133 in Red Hat and CVE-2015-6639 in Qualcomm. Those sold included Microsoft CVE-2017-11882, a 17-year-old memory corruption issue in Microsoft Office, along with Office vulnerability CVE-2012-0158 and CVE-2016-5195, a Linux kernel vulnerability dubbed Dirty Cow that sold for $3,000 on the underground, she said.

"The longevity of a valuable exploit is longer than most expect," Fuentes said. "Patching yesterday's vulnerability can be just as important as today's critical one."

Trend Micro will release a report with the full findings in a few weeks, she noted.